Описание
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2026-22739
- https://github.com/spring-cloud/spring-cloud-config/commit/1870f07befd5f62edcfdaea5ad82441d0fd49912
- https://github.com/spring-cloud/spring-cloud-config/releases/tag/v4.3.2
- https://github.com/spring-cloud/spring-cloud-config/releases/tag/v5.0.2
- https://spring.io/security/cve-2026-22739
Пакеты
org.springframework.cloud:spring-cloud-config-server
>= 4.3.0, < 4.3.2
4.3.2
org.springframework.cloud:spring-cloud-config-server
>= 5.0.0-M1, < 5.0.2
5.0.2
org.springframework.cloud:spring-cloud-config-server
>= 4.2.0, <= 4.2.4
Отсутствует
org.springframework.cloud:spring-cloud-config-server
>= 4.0.0, <= 4.1.7
Отсутствует
org.springframework.cloud:spring-cloud-config-server
<= 3.1.10
Отсутствует
Связанные уязвимости
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
Vulnerability in Spring Cloud when substituting the profile parameter ...
Уязвимость сервера Spring Cloud Config, связанная с неверным ограничением имени пути к каталогу, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации